diff --git a/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go b/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go
index 3364705e43..8532d97b48 100644
--- a/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go
+++ b/control-plane/connect-inject/webhook/consul_dataplane_sidecar.go
@@ -216,10 +216,11 @@ func (w *MeshWebhook) consulDataplaneSidecar(namespace corev1.Namespace, pod cor
 			}
 		}
 		container.SecurityContext = &corev1.SecurityContext{
-			RunAsUser:              pointer.Int64(sidecarUserAndGroupID),
-			RunAsGroup:             pointer.Int64(sidecarUserAndGroupID),
-			RunAsNonRoot:           pointer.Bool(true),
-			ReadOnlyRootFilesystem: pointer.Bool(true),
+			RunAsUser:                pointer.Int64(sidecarUserAndGroupID),
+			RunAsGroup:               pointer.Int64(sidecarUserAndGroupID),
+			RunAsNonRoot:             pointer.Bool(true),
+			AllowPrivilegeEscalation: pointer.Bool(false),
+			ReadOnlyRootFilesystem:   pointer.Bool(true),
 		}
 	}
 
diff --git a/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go b/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go
index 9f2f71074f..d207a62b13 100644
--- a/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go
+++ b/control-plane/connect-inject/webhook/consul_dataplane_sidecar_test.go
@@ -798,20 +798,22 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) {
 			tproxyEnabled:    false,
 			openShiftEnabled: false,
 			expSecurityContext: &corev1.SecurityContext{
-				RunAsUser:              pointer.Int64(sidecarUserAndGroupID),
-				RunAsGroup:             pointer.Int64(sidecarUserAndGroupID),
-				RunAsNonRoot:           pointer.Bool(true),
-				ReadOnlyRootFilesystem: pointer.Bool(true),
+				RunAsUser:                pointer.Int64(sidecarUserAndGroupID),
+				RunAsGroup:               pointer.Int64(sidecarUserAndGroupID),
+				RunAsNonRoot:             pointer.Bool(true),
+				ReadOnlyRootFilesystem:   pointer.Bool(true),
+				AllowPrivilegeEscalation: pointer.Bool(false),
 			},
 		},
 		"tproxy enabled; openshift disabled": {
 			tproxyEnabled:    true,
 			openShiftEnabled: false,
 			expSecurityContext: &corev1.SecurityContext{
-				RunAsUser:              pointer.Int64(sidecarUserAndGroupID),
-				RunAsGroup:             pointer.Int64(sidecarUserAndGroupID),
-				RunAsNonRoot:           pointer.Bool(true),
-				ReadOnlyRootFilesystem: pointer.Bool(true),
+				RunAsUser:                pointer.Int64(sidecarUserAndGroupID),
+				RunAsGroup:               pointer.Int64(sidecarUserAndGroupID),
+				RunAsNonRoot:             pointer.Bool(true),
+				ReadOnlyRootFilesystem:   pointer.Bool(true),
+				AllowPrivilegeEscalation: pointer.Bool(false),
 			},
 		},
 		"tproxy disabled; openshift enabled": {
@@ -823,10 +825,11 @@ func TestHandlerConsulDataplaneSidecar_withSecurityContext(t *testing.T) {
 			tproxyEnabled:    true,
 			openShiftEnabled: true,
 			expSecurityContext: &corev1.SecurityContext{
-				RunAsUser:              pointer.Int64(sidecarUserAndGroupID),
-				RunAsGroup:             pointer.Int64(sidecarUserAndGroupID),
-				RunAsNonRoot:           pointer.Bool(true),
-				ReadOnlyRootFilesystem: pointer.Bool(true),
+				RunAsUser:                pointer.Int64(sidecarUserAndGroupID),
+				RunAsGroup:               pointer.Int64(sidecarUserAndGroupID),
+				RunAsNonRoot:             pointer.Bool(true),
+				ReadOnlyRootFilesystem:   pointer.Bool(true),
+				AllowPrivilegeEscalation: pointer.Bool(false),
 			},
 		},
 	}
diff --git a/control-plane/connect-inject/webhook/container_init.go b/control-plane/connect-inject/webhook/container_init.go
index db13485489..5a18120dbf 100644
--- a/control-plane/connect-inject/webhook/container_init.go
+++ b/control-plane/connect-inject/webhook/container_init.go
@@ -260,6 +260,8 @@ func (w *MeshWebhook) containerInit(namespace corev1.Namespace, pod corev1.Pod,
 				Capabilities: &corev1.Capabilities{
 					Drop: []corev1.Capability{"ALL"},
 				},
+				ReadOnlyRootFilesystem:   pointer.Bool(true),
+				AllowPrivilegeEscalation: pointer.Bool(false),
 			}
 		}
 	}
diff --git a/control-plane/connect-inject/webhook/container_init_test.go b/control-plane/connect-inject/webhook/container_init_test.go
index 5f14f44bc2..50cffa2ad6 100644
--- a/control-plane/connect-inject/webhook/container_init_test.go
+++ b/control-plane/connect-inject/webhook/container_init_test.go
@@ -299,6 +299,8 @@ func TestHandlerContainerInit_transparentProxy(t *testing.T) {
 					Capabilities: &corev1.Capabilities{
 						Drop: []corev1.Capability{"ALL"},
 					},
+					ReadOnlyRootFilesystem:   pointer.Bool(true),
+					AllowPrivilegeEscalation: pointer.Bool(false),
 				}
 			} else if c.expTproxyEnabled {
 				expectedSecurityContext = &corev1.SecurityContext{